This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com∕update.

We see this a fair bit for no obvious reason and no common reason i.e. mix of clients, mix of locations, internet access works.

Doesn't appear to have any practical impact other than being an annoyance in the logs.

Any ideas what's causing it please?



This thread was automatically locked due to age.
Parents
  • We see this quite frequently as well, for no apparent reason.  Is there any resolution?

  • What is in the following log files:

    • %temp%\Sophos Endpoint Bootstrap_(datetime).txt
      Note: It's the temp directory of the installing user.  If SophosInstall.exe was ran as System (AD startup-script), it would be in %windir%\temp\ for example.
    • %programdata%\Sophos\Management Communications System\Endpoint\Logs\McsClient.log
    • %programdata%\Sophos\AutoUpdate\logs\SophosUpdate.log


    The Sophos Endpoint Bootstrap log will have the initial validation checks to the update source and the management servers.
    The McsClient.log will have if the computer was able to register (did it get an endpoint ID, did it get the needed updating policy and credentials to provide Sophos AutoUpate). 
    The SophosUpdate.log will detail if the computer has credentials and why it can't update when it tries to download files.

    Regards,

    Jak

  • I think you can attach files :)

    Syncing file 537a1ca1123a7e6dc6d6127bae7df5fex000.dat: 2920448 bytes: ntp64/Sophos Network Threat Protection.msi
    2017-02-10T13:48:58.494Z [ 6404] INFO  SUL-Log [I19464] File 537a1ca1123a7e6dc6d6127bae7df5fex000.dat: sync failed
    2017-02-10T13:48:58.494Z [ 6404] ERROR SUL-Log [E83521] Cannot create stream d1.sophosupd.com/.../537a1ca1123a7e6dc6d6127bae7df5fex000.dat called from winhttp_stream_buff_data::handle_error_status

    I assume, that there is something blocking this .dat file; which is actually just the file "Sophos Network Threat Protection.msi" renamed.

    Can you download this file in the browser:
    http://d1.sophosupd.com/update/537a1ca1123a7e6dc6d6127bae7df5fex000.dat

    I suspect you might get an error or a device is blocking it page?

    If you can get the .dat, you could copy it to:
    "C:\ProgramData\Sophos\AutoUpdate\data\warehouse\"

    and then force an update.  This would get around the immediate problem but I'd be surprised if you can get it with a browser if SophosUpdate.exe can't fetch it.

    Regards,

    Jak

  • New to this forum.  Sorry.  :-/

    The file is being blocked by our firewall. I'll check on this on our end.

    What's strange is it happens frequently, but not always to the same users.  Then suddenly, I look in Sophos Central, and it has "fixed itself."

  • Maybe the firewall was updated with a fixed "identity"? 

    I believe that AutoUpdate might be switching over to HTTPS in the not too distant future so that should help with this sort of thing generally unless of course you're also doing SSL inspection.

    Regards,
    Jak

  • I'll check into that.  Thanks for the info!

  • I am a new Sophos customer and I have not been able to get a single installation to work yet. I keep getting this error. I have tried all of the steps mentioned in this blog and a few others too. Has there been any further development on this issue?

    Everything appears to install fine and the dashboard says that everything is great, then about 15 min later I get a message saying the unit is unprotected and the "Download of WindowsCloudNextGen failed from server http:∕∕dci.sophosupd.com" message is in the event window.

    Any help would be appreciated.

    Patrick

  • Can you Pastebin or share out your SophosUpdate.log from the \progradata\sophos\autoupdate\logs directory?

  • Hi Patrick,

    2017-05-19T17:47:23.551Z [13340] ERROR ProductInstaller::RunUpdateCheck Endpoint is not currently updateable. Aborting endpoint update
    2017-05-19T17:47:23.551Z [13340] INFO ProductInstaller::RunUpdateCheck Endpoint must be rebooted.

    ..

    2017-05-19T17:47:23.555Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudNextGen, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error writing version for line ID WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudHitmanProAlert, error: 5
    2017-05-19T17:47:23.556Z [13340] ERROR RegistryVersionPersister::Save Error deleting line ID subkey WindowsCloudNextGen, error: 5

    I believe the first check which has resulted in:

    Endpoint is not currently updateable

    is if the process (SophosUpdate.exe) can open the key:
    hklm\system\currentcontrolset\service\sophos autoupdate service

    I think it then goes on to query the description value and maybe set it.

    The process that kicks of SophosUpdate is the Sophos AutoUpdate service (alsvc.exe).  This runs as system and so does sophosupdate as a child process so I don't know why it would have issues.

    I would start by checking:

    1. The Sophos AutoUpdate service is running as system user 

    2. SophosUpdate.exe when launched is running as System.  

    Process Explorer from Sysinternals would be good for these checks.

    3. Check the above key, specifically for the effective rights of the System user.

    Beyond that, have you tried restarting the computer given the next line:
    Endpoint must be rebooted.

    Maybe do that first and then the above.

    Regards,

    Jak

     

  • After lots of testing over the weekend, it appears that my Sonicwall Gateway protection software sees everything that Sophos does as a threat. I am trying to fight through all of the different threat alerts to whitelist the traffic, but it is taking a lot of time. I will post an update if that ends up fixing everything.

    Meanwhile, I have one computer that I want to try uninstalling and reinstalling the agent on. However, it says that I can't because tamper protection is on. The problem is that even after turning the protection off, it still won't uninstall. Any tips on how to remove a stubborn instance of the agent?

    Patrick

Reply Children
  • Hello Jak,

    Where is Sophos at with SonicWALL to resolve this false positive? This thread is over 6 months old yet it is still happening (brand new customer here, ran into the same issue).

    Thanks,

    Karl

  • I suspect you'd have to get in touch with SonicWall if there rules keep detecting legitimate files.  I'm not familiar with their products but maybe you can make exclusions from the Sophos domains sophosupd.com and sophosupd.net to prevent it happening in the meantime.

    A quick search on Google turned up this page:

    https://support.sonicwall.com/kb/sw7833

    If you can download the blocked file and send it to them with details of the detection rule it fired on that should get things rolling.

    Regards,

    Jak

     

     

     

     

  • Is this a configuration issue? It's identifying Sophos as a trojan. I guess I am just curious why this is something that we have to take care of spending an hour or two on the phone with them, or opening up our external firewall when the program itself is being identified as an issue. In the past, when Sonicwall was blocking a program by grandMA, they contacted their support and handled the issue.

    Is it wrong to expect the same level of support from Sophos?

  • There is another way to resolve this.

    White-list a group of trusted Sophos Sites (domains/URLs) and add them to a SonicWALL firewall to bypass the SonicWALL Cloud AntiVirus scanning security and allow for proper installation/update of the Sophos products. Add the following list of Sophos sites as FQDN WAN objects to the SonicWALL firewall:

    *.sophos.com

    *.sophosupd.com

    *.sophosupd.net

    *.sophosxl.net

    ocsp2.globalsign.com

    crl.globalsign.com